From Lehigh.EDU!owner-virus-l  Sun Apr 21 09:07:22 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Sun, 21 Apr 96 10:48:10 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id JAA05117; Sun, 21 Apr 1996 09:07:22 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39232-34610>; Sun, 21 Apr 1996 00:01:44 EDT
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39119-36486>; Sat, 20 Apr 1996 23:58:25 EDT
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id XAA126771 for <virus-l@lehigh.edu>; Sat, 20 Apr 1996 23:57:48 -0400
Received: from 132.181.30.50 ("port 1061"@nick.csc.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I3T4WGE964SKVG0S@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Sun,
 21 Apr 1996 15:57:13 +1200
Message-Id: <01I3T4WGFHFYSKVG0S@csc.canterbury.ac.nz>
Date: 	Sun, 21 Apr 1996 14:25:30 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #55
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-To: virus-l@LeHigh.EDU
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest    Sunday, 21 Apr 1996    Volume 9 : Issue 55

Today's Topics:

How many viruses?
Re: Need a way to automatically update Virus Checkers.
Re: EliaShin (sp?) antivirus software
Q: strange crash - security hole, virus or bad config? (UNIX)
URGENT: Norton AV for NT erased my logical paritions (NT)
Help!!!  Very unstable Performa 6200 (MAC)
Clean Boot Floppy (WIN95)
Re: Norton Anti-virus or McAfee (WIN95)
Computer gone nutz! (PC)
Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
Re: Monkey and partitioned drives (PC)
Re: Good scanner with smallest TSR memory footprint (PC)
Re: Need help with whacked PC (PC)
Old Tandy machine lost all files except 7 (PC)
Problems after F-PROT disinfection of QUOX (PC)
Re: Flesh Eating Virus? (PC)
Re: Program to backup mbr and boot sector (PC)
Re: A possible virus! (PC)
Even Beeper virus (PC)
Re: Parity boot? What should I do? (PC)
Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
Re: Where to get a virus check up grade? (PC)
Re: Help ,welcomb virus (PC)
Re: Good scanner with smallest TSR memory footprint (PC)
Re: Trabajo_hacer.b Virus (PC)
Re: Help on DESPERADO A/B required (PC)
Virus-related FAQs [long]

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Wed, 17 Apr 1996 23:06:28 +0200
From: Niklas <niklas@wineasy.se>
Subject: How many viruses?
X-Digest: Volume 9 : Issue 55

I'm writing a report in school about viruses, and I've read
that in 1986 there were only 4 viruses and in 1991 about 1000
- so I would like to know aprox. how many viruses there 
were every year from 86-96.

I will use this in my report and i must know where the info comes from.

Please email to niklas@wineasy.se if you have any good links or stuff.
(not to comp.virus) Ok, thanks! :)

------------------------------

Date: Thu, 18 Apr 1996 12:08 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Need a way to automatically update Virus Checkers.
X-Digest: Volume 9 : Issue 55

In-Reply-To: <01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz>
Ken Griffin <kgriffin@busweb.com> writes:

> Can anyone help with automation?

Dr Solomon's Anti-Virus Toolkit can automatically update workstations 
with the latest version of the software from the network (this saves an 
awful lot on shoe leather).  I would surprise if other anti-virus 
products cannot do the same.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 18 Apr 1996 12:08 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: EliaShin (sp?) antivirus software
X-Digest: Volume 9 : Issue 55

In-Reply-To: <01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz>
Frank Christensen <frankc@aquila.com> writes:

> Hello!  A friend at a nearby university learned they are going to be 
> installing an antivirus program that neither he nor I had heard about:
> 
> "....they are installing an antivirus called "EliaShin" in
> our PC labs - the main file itself is called "ViruSafe" - however,
> unlike Symantec's Norton Antivirus and McAfee's VirusScan and the
> Finish Datafellow's F-PROTECT, and IBM's IBM Antivirus, and/or the
> British "Dr.Solomon" - I can find out NOTHING about this product,
> other than it comes from Israel!"

It's EliaShim actually, and their product is called "ViruSafe".  You'll 
find them on the web at http://www.eliashim.com.  I seem to recall that 
the latest edition of Virus Bulletin included a review of EliaShim's 
anti-virus software.

> Does anyone have any firsthand knowledge about this product, and 
> possible site of reviews/evaluations?

Other than the Virus Bulletin review mentioned above there are also a 
number of independent comparative anti-virus reviews to be found at 
http://www.drsolomon.com/avtk/reviews

Some of these include tests of EliaShim ViruSafe.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 18 Apr 1996 01:32:53 +0000 (GMT)
From: David Saunderson <hercules!saunders@uunet.uu.net>
Subject: Q: strange crash - security hole, virus or bad config? (UNIX)
X-Digest: Volume 9 : Issue 55

We have a SPARC 10 running Solaris 2.4 that has been running stable for
months.  Then it began to hang, not crash, without a clue to its cause.
This would happen once every few days.

Questions:

Could it it be "virus" ? (Please don't send me replies explaining
	the difference between virus, worms, trojan horses, etc.)

Is there such thing as a Sun/Unix "virus" ?

Are UNIX virus checkers available?  Are cleaners?

If you have information or can point me to some white papers, it
	would be appreciated.

Thanks in advance

Please reply to : saskgeo@unibase.unibase.com
And I will summarize in two weeks if there is any interest.

------------------------------

Date: Sat, 20 Apr 1996 20:22:12 +0000 (GMT)
From: Hyun <hyunkim@engin.umich.edu>
Subject: URGENT: Norton AV for NT erased my logical paritions (NT)
X-Digest: Volume 9 : Issue 55

I ran Norton AV and my system came out clean except for one boot
sector.  It reported that one of my master boot record was infected
with the new NYB virus.  So I had it cleaned.  After this was done,
the secondary partitions (h:, i:) on my second drive disappeared.  NT
and Fdisk(DOS) reports that I only have the primary partition on my
(1.2gb) wetern digital drive.  However, within file manager (both
win3.11 and NT) tells me that the d:\ drive is only 544mb and that I
do not have h: or i:.

Is there a way to get back the lost logical drives?  Please say yes,
please.

Please reply via e-mail as soon as possible.  I was currently working
on a school project which disappeared with the logical drives.  Thanks
a bunch.

------------------------------

Date: Thu, 18 Apr 1996 05:00:18 +0000 (GMT)
From: Jason Alan Blough <jblough@bgnet.bgsu.edu>
Subject: Help!!!  Very unstable Performa 6200 (MAC)
X-Digest: Volume 9 : Issue 55

I have a Mac performa 6200CD and I'm having all kinds of problems.  Macs 
have a tendency to freeze or lock up from time to time, right?  This one 
used to do that, but now it freezes up all the time.  It once took me a 
half an hour to get it to start because it kept freezing up.  It doesn't 
lock up on any specific application.  It happens at any time, no matter 
what I'm using.  It goes in streaks too.  Sometimes it will lock up over 
and over again and sometimes it works fine. (I hope I didn't just jinx 
myself, I'm using the above named unit now!)

At one point it would act like it was starting up (the power light came 
on and you could hear it booting up) but the monitor never showed 
anything.  It stayed black (yes, it was on).  I had to completely reset 
at this point.  It also sometimes plays the beginning of the twilight 
zone sometimes when I first start it.  Isn't this a crash notice?
Anyway, does anyone know of a virus that may be causing this?  Some 
people think it may be the system software (7.5.1).  I'm in the process 
of getting the upgrade (7.5.3).  It just seems strange to me that it 
worked fine for a couple of months before it acted up.

Any other suggestions?

I am not a regular visitor of this group, so I'm sorry if this topic has 
been beat into the ground.  Along the same lines, please respond to me 
directly or I may not get the message.

TIA!!
Jason
jblough@bgnet.bgsu.edu

------------------------------

Date: Wed, 17 Apr 1996 22:22:02 -0400
From: Larry Frank <elfrank@globalone.net>
Subject: Clean Boot Floppy (WIN95)
X-Digest: Volume 9 : Issue 55

Can a clean boot floppy be created using Win'95 or should it be created 
using an older version of dos?  Why?

Thanks
Larry Frank

------------------------------

Date: Thu, 18 Apr 1996 12:12 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Norton Anti-virus or McAfee (WIN95)
X-Digest: Volume 9 : Issue 55

In-Reply-To: <01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz>
Sachi Noma <snoma@aloha.net> writes:
 
> which is better under win95:norton anti virus or McAfee?

Depends what you mean by better.  Better user interface?  Better speed?  
Better detection of viruses?  Better identification of viruses (NB: 
different from detection)?  Better clean-up of viruses?  Better on-access 
interception of viruses?  Better technical support?  Better support for 
compressed and archived files?  Better detection of new and unknown 
viruses?  Better at avoiding false alarms?  Better price?

It seems most people mean "better detection" when they ask which is 
"better".  There are some independent comparative reviews of Win95 
anti-virus software at http://www.drsolomon.com/avtk/reviews.  They 
include tests of the products you mention above.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Wed, 17 Apr 1996 19:53:33 -0400
From: Cheshire <tjvines@hamlet.uncg.edu>
Subject: Computer gone nutz! (PC)
X-Digest: Volume 9 : Issue 55

Recently, my entire harddrive crashed. I loaded dos, did a scan disk and 
400mb of HD space were gone!Just disappeared! So I reload everything and 
i get mem parity errors. I finally had to replace all my mem. WAS this a 
virus? Im just curious. Im new to the virus world.

BTW: It said my C: drive was unlocatiable before loading dos.

------------------------------

Date: Wed, 17 Apr 1996 17:53:51 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
X-Digest: Volume 9 : Issue 55

In article <0018.01I3NQQ7OQ0KSKU6UC@csc.canterbury.ac.nz>
	   mramey@u.washington.edu "'Mike' M Ramey" writes:

> Iolo, Graham, Dr. Solomon, and development folks at S&S:

I am not an S&S employee, and have no influence on their 
development decisions.

>    Please print an *explicit* message in the FindVirus output that
> *clearly* indicates the occurrance, cause, and consequences of switching
> into "review" mode.  The word "like" is *not* a substitute for a clear
> explanation of what is going on!

The word "like" is not an indicator for review mode.  The word 
"like" means that the virus has not been precisely identified by 
the extra thorough checksumming method that FindVirus normally 
uses.  This can mean that you are in review mode, or it can mean 
that you have a variant of the virus that does not match the 
checksum. 

>    I have sent you messages in the past (and I will send you more soon)
> about the lack of clarity (or inaccuracy) of messages from the FindVirus
> program.  

The message is accurate.  Since the precision checksumming turns 
off after 10 different viruses are encountered, FindVirus no 
longer says that viruses are "identified as" whatever precise 
virus variant name, but says that they are "like" whatever main 
virus name.  This does not miss any viruses, nor does it increase 
the possibility of false alarms.  It just doesn't distinguish 
precisely between the different variants of a particular virus.  

This review mode only happens when more than ten different 
viruses are found during a scan.  That means that it is extremely 
unlikely to happen to any real user, but only when someone is 
running FindVirus on a large collection of viruses.

Findvirus' precise identification checksumming is an extra level 
of precision not found in other anti-virus scanners.  It is 
really only needed during repair, or when reporting a virus name 
to tech support, neither of which are applicable to the 
situation when someone runs a scanner on a large collection of 
viruses.  

If a user has more than ten viruses on his machine, no doubt he 
will run FindVirus /REPAIR to get rid of them.  The /REPAIR 
switch stops FindVirus going into review mode, because it uses 
the precise identification to do repairs. 

There really isn't any downside to this.    

- -
CUTIE INVITED                   OF WHISKERS
	     VARSITY HOP                   PARTY A FLOP
			GUY FULL                       Burma-Shave

------------------------------

Date: Thu, 18 Apr 1996 01:49:48 +0000 (GMT)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: Monkey and partitioned drives (PC)
X-Digest: Volume 9 : Issue 55

Minor technical nitpicks follow.  If you don't care, press "N" now.

Stefan Kurtzhals (kurtzhal@wmwap1.math.uni-wuppertal.de) wrote:
> >Here's how it is.  If you have Monkey on a multi partitioned (yes 
> >Double / Drive Space users, that means you), and you run FDISK /MBR, 
> >it is gone.  You have to reformat and start over.  I know this 
> >because I sent my computer in, and those idiots ran FDISK with the 
> >MBR command, and shot my hard drive out of the water.  
> 
> Well, the FDISK /MBR deleted all the data not because of DBLSPACE
> or DRVSPACE but because Monkey uses a special way to infect the
> partition sector. (Or at least it changes the sector in a
> special way)

   Right.  No data are deleted under normal circumstances, but might be 
with dirvers like Disk Manager.  In that case, though, the drive is 
unlikely to boot immediately after infection, so at least one will know 
right away and not many floppies will be infected.

> >You replace the partitioned (and infected) header with a normal 
> >(unpartitioned) header.  
> 
> This is correct, FDISK /MBR rewrites the first 1bdh bytes of the
> partition sector with the standard DOS code. 

   Actually it -writes- the whole 512 (0200h) bytes, but only the first
446 (01BDh) of them are modified in most cases.  Monkey is one of those
cases. 
 
> This will remove the virus code completely 

   True for Monkey and most other BSIs after a clean boot, but... 

> (this will remove every boot virus which is located in the partition 
> sector). 

   Not -quite- all.  Consider e.g., Orsam.  Can't boot with DOS 5 or 
higher, so can't use FDISK this way, since it wasn't an option in DOS 4 
and before.  Good thing, too.
 
> > This causes the disk to not understand how 
> >to read itself.  Thus, all data is lost.  

> Monkey (and other boot viruses) invalidates the partition entries

   Make that *some* other BSIs.

> located in the partition sector. Because the virus itself has stealth
> functions and shows the original uninfected sector to the system, your
> computer still boot up normaly. 

   Nothing to do with Monkey's stealth, since it loads the previous MBR 
directly.

> But when you boot from a clean disk and the virus is disabled in memory,
> DOS can't access the hard drive anymore (you still can read sectors on the
> BIOS level). If you try to access C: you just get "Invalid drive C:".
> FDISK /MBR kills the virus, but does not repair the partition entries. In
> this case, FDISK /MBR will make all data unaccessable. 
>  
> >(unless you wish to rewrite your MBR by use of a disk utility.
> 
> Or you use the "Store partition sector" function offered by almost 
> every antivirus program. 
> 
> That's the problem: most people just scan for viruses but don't use 
> the full features of their antivirus program. It's so easy to remove a 
> boot virus! 
>
> >BTW, I learned this from experience.
> 
> Don't forget to switch the boot-up sequence in the BIOS from "A: C:" to 
> "C: A:". It's the cheapest and most effective protection against boot 
> virus.

   Agree 100%.

   -BPB

------------------------------

Date: Wed, 17 Apr 1996 00:01:31 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Good scanner with smallest TSR memory footprint (PC)
X-Digest: Volume 9 : Issue 55

In article <0010.01I3O5HCRZF2SKU6UC@csc.canterbury.ac.nz>
	   73323.2516@compuserve.com "Harald Horgen" writes:

> I think Vi-Spy is the only product that is written in Assembler, so it
> has a real advantage in that it's code is nice and efficient.

Nope, not the only product.  Dr. Solomon's VirusGuard has always 
been written in assembler.  I think the VxDs (Windows and Win95) 
are written (mostly?) in C, but size is not a problem in Windows.

You don't say how big the memory resident portion of Vi-Spy is?

- -
CUTIE INVITED                   OF WHISKERS
	     VARSITY HOP                   PARTY A FLOP
			GUY FULL                       Burma-Shave

------------------------------

Date: Wed, 17 Apr 1996 22:28:00 -0400
From: "Bruce P. Burrell" <bpb@umich.edu>
Subject: Re: Need help with whacked PC (PC)
X-Digest: Volume 9 : Issue 55

In article <0007.01I3NQQ7OQ0KSKU6UC@csc.canterbury.ac.nz> fty@mcnc.org 
(Frank Terhaar-Yonkers) wrote:

> Tell me more.  I've a situation where *something* ate my son's PC/win3.11.
> 
> It walked the directory tree, and deleted every file. Norton unerase works
> just fine, but is tedious.  I'd like a utility that lists EVERY restorable
> deleted file, writes that list to a floppy file or another hard drive.
> I'd could then use the list to process those names against a list of names
> from a healthy machine to determine the appropriate first character which
> could be fed back to the unerase process.

   It might not do quite what you request, but Norton QuickUnerase will 
work by giving the command QU C:\*.*   I don't recall offhand whether it 
will deal with subdirectories, or if it comes with current versions of NU.

   Also, UNERASE that comes with DOS 5 should do the trick.

NOTES:
   1. File name doesn't matter much for the purposes of unerasure;  use
      whatever letter you like and rename afterwards.  I assume that you 
      have a list of filenames already; once the file is deleted, its
      first letter is gone forever. 

   2. Unerasure will be likely to fail for any fragmented file.  Hence
      you'll often get good success for files installed all at once, e.g.,
      software programs and support files, but much worse results, if any,
      for data files.  The latter tend to be created over time, which
      leads to fragmentation. 

   -BPB

------------------------------

Date: Thu, 18 Apr 1996 03:14:04 +0000 (GMT)
From: Savio Wong <swong@wat.hookup.net>
Subject: Old Tandy machine lost all files except 7 (PC)
X-Digest: Volume 9 : Issue 55

     I am the computer manager for a secondary school.  For the past
three weeks, I have been battling the 'Burglar 1150' virus on our Novell
networks.  Before I state my problem today, I like to publicly thank all
the people who email me with useful suggestions, thanks.  I am happy to
report the system has been running clean for a week. 

Now.... another possible virus?

    In my school, we use a old Tandy computer (XT) to keep track of a
number of control programs such as temperture, air flow, alarms etc..  

    The computer has a 40M harddrive.  Earlier today, all the files 
disappeared except 7 COM files in the root directory.  It also shows 0
byte free with a DIR.  I can't even do a 'format c:', the computer
replies with 'cannot write to the harddrive'.  

    According to the custodian, before the files disappeared, the lower
part of the monitor displayed a raging flame for a few seconds.

    Is this a virus or the computer hard drive fails because of age?

    Any comments are of course appreciated.

    Regards,

    Savio Wong
    Waterloo, Ontario
    CANADA

------------------------------

Date: Thu, 18 Apr 1996 10:58:56 +0000
From: "Dr. Martin Erdelen" <hrz090@sp2.power.uni-essen.de>
Subject: Problems after F-PROT disinfection of QUOX (PC)
X-Digest: Volume 9 : Issue 55

one of our users ran into problems after finding the Quox.A
virus on his HD (he used F-Prot 2.22).  F-Prot reported
successful disinfection but afterwards, his HD (one of two
physical drives, whole HD is one partition, size 205 (?) MB)
was trashed: he can still see (dir) but not use most of his
files; also, FDISK wrongly reports a large portion of the disk
as "free". (To me, this sounds like a broken MBR). From the
description at the Datafellows site (thanks for the service,
guys!) I get the impression that Quox is relatively harmless (I
know there ain't a harmless virus...) - so I am surprised that
this kind of problem turned up. As a long-time F-Prot user
convinced of its quality, I find it difficult to believe that
F-Prot really couldn't handle Quox correctly.

I had never heard of Quox before.

- Has anyone had similar experiences?
- How would one go about repairing the damage?
  (From what I read here recently, I have grown rather reluctant
   about FDISK /MBR)?
- Would manual patching together of the still recognizable file
  fragments be the only option at this point?

Thanks in advance for any advice.

Best regards,
MArtin

    (~  , ,
   (___/__/__-_
Dr. Martin Erdelen
-Computing Centre-        Internet: erdelen@hrz.uni-essen.de
University of Essen           Tel.: +49 201 183-2998

------------------------------

Date: Thu, 18 Apr 1996 08:07:45 +0000
From: Martin Overton <ChekMate@salig.demon.co.uk>
Subject: Re: Flesh Eating Virus? (PC)
X-Digest: Volume 9 : Issue 55

In article: <0016.01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz>  Steve 
Anthony <santhony@morgan.ucs.mun.ca> writes:
> 
> Recently I've been made aware of a possible virus in my university.  
> Apparently, this computer Flesh Eating Virus, is a new one, corrupting 
> disks and scrambling their contents.  

I haven't heard of this one, yet!
 
> I recently received a disk from a friend, and attempted to access it. 
 It 
> replied with a Divide by Zero error on EVERY attempt, ie:  DIR, 
F-PROT, 
> Norton, debug.... EVERYTHING.

Sounds more likely to be a system error than a virus. BUT it could be a 
new virus. 
 
> I was able to manage a hack with norton to let me view some of the 
> physical sectors, and I found partial documents all over the place.  

A normal drive may well be fragmented and the sectors for a specific 
file may well be all over the place. Bit like a jigsaw really, except 
DOS and other other OS's keep track of the 'bits' of a file and where 
they reside.
 
> I was told that a new Flesh Eating pc virus was detected locally, but 
> most scanners don't yet reconize it.  Any truth?  If so, what can I 
do?

Try ChekMate as it was written to detect viruses that the scanners may 
not yet know about. Of course, it detects most know viruses also.

You can get a trial version from the ftp site in my sig.

Hope this helps?

Let me know how you get on.

Regards,
- - 
 Martin Overton       |         ChekMate           | +44 (1403) 241376 
+---------------------+----------------------------+------------------+
| ChekMate - a Generic Anti-Virus Utility that works under DOS, OS/2  |
| and Windows (3.x/95/NT).  Detects Known and UNKNOWN Viruses without |
| Scan Strings.  FAST (<20 Secs Avg).   Evaluate ChekMate 2.0 now!    |
| Support (UK) chekmate@salig.demon.co.uk  (US) ris@transit.nyser.net | 
				 |
+---------------------------------------------------------------------+
 Download it from our FTP site: ftp.gate.net/pub/users/ris1/cm200.zip

------------------------------

Date: Thu, 18 Apr 1996 08:17:14 +0000
From: Martin Overton <ChekMate@salig.demon.co.uk>
Subject: Re: Program to backup mbr and boot sector (PC)
X-Digest: Volume 9 : Issue 55

In article: <0018.01I3O5HCRZF2SKU6UC@csc.canterbury.ac.nz>  
MIKE6099@aol.com writes:
> 
> Is there a (cheap) ;) program that backs up the mbr and bootable area 
of a
> hard disk in case of a boot virus or corruption?  Or is there an 
option
> like this in virusscan 95 or TBAV??

ChekMate does this as part of it's protection against currently unknown 
(and known) boot and partition sector viruses.

You can get a trial version from the FTP site in my sig.

The registered version has a utility to repair the boot and partition 
sector from the backups made.

Hope this helps?

Regards,

- - 
 Martin Overton       |         ChekMate           | +44 (1403) 241376 
+---------------------+----------------------------+------------------+
| ChekMate - a Generic Anti-Virus Utility that works under DOS, OS/2  |
| and Windows (3.x/95/NT).  Detects Known and UNKNOWN Viruses without |
| Scan Strings.  FAST (<20 Secs Avg).   Evaluate ChekMate 2.0 now!    |
| Support (UK) chekmate@salig.demon.co.uk  (US) ris@transit.nyser.net | 
				 |
+---------------------------------------------------------------------+
 Download it from our FTP site: ftp.gate.net/pub/users/ris1/cm200.zip

------------------------------

Date: Thu, 18 Apr 1996 08:14:14 +0000
From: Martin Overton <ChekMate@salig.demon.co.uk>
Subject: Re: A possible virus! (PC)
X-Digest: Volume 9 : Issue 55

In article: <0009.01I3O5HCRZF2SKU6UC@csc.canterbury.ac.nz>  D3lyr1uM? 
<kore8@usa.pipeline.com> writes:

> Often when playing games on my pc, I get the statement, system is
> dangerously low on resources.  One day for no apparent reason the 
computer
> shut off totally.  A black dos like screen came up and said Ok to shut 
off
> computer.  Another problem is that my sound just dies some times.  I 
don't
> know how the system could be low on resources when it's a P100 with 
400
> megs free, 16 megs of ram.  I look at the system monitor and it always 
says
> 
> 92% free?  Any ideas would be appreciated to solve my delemmas.  I 
have
> scanned with nav and nothing comes up.  I also tried tba, mcaffee. 
Please
> help this is getting annoying 

You don't say which operating system you are using, but from hints in 
your message it is probably Windows?

If so you may be running out of the GDI heap space rather than 'real' 
memory.

Things that can steal this type of resources include: Fonts, Folders and 
badly written application that don't release resources.

If you want to confirm that a virus is not present on your system then 
can I suggest giving ChekMate a go, as it was written to detect viruses 
that the scanners may not know about yet.

It should be used alongside a good up-to-date scanner as part of a 
multi-layered approach to viruses.

Oh, nearly forgot, you can get a trial copy of ChekMate from the FTP 
site listed in my sig.

Hope this helps?

Regards,

- - 
 Martin Overton       |         ChekMate           | +44 (1403) 241376 
+---------------------+----------------------------+------------------+
| ChekMate - a Generic Anti-Virus Utility that works under DOS, OS/2  |
| and Windows (3.x/95/NT).  Detects Known and UNKNOWN Viruses without |
| Scan Strings.  FAST (<20 Secs Avg).   Evaluate ChekMate 2.0 now!    |
| Support (UK) chekmate@salig.demon.co.uk  (US) ris@transit.nyser.net | 
				 |
+---------------------------------------------------------------------+
 Download it from our FTP site: ftp.gate.net/pub/users/ris1/cm200.zip

------------------------------

Date: Thu, 18 Apr 1996 11:03:14 +0000 (GMT)
From: thuynh@socs.uts.EDU.AU
Subject: Even Beeper virus (PC)
X-Digest: Volume 9 : Issue 55

I have recently encountered a virus called the HLL.Even Beeper A virus.
It has infected alot of my .exe files, and as a result, it has totally
crash my computer. I have attempted cleaning it with NAV, Dr. Solomon's,
as well as McAfee, but the funny thing is that, these antivirus programs
do not even pick it up. Has anyone heard about this virus?? And what the
heck is it?

Anyway, any info on it is much appreciated. Thanx all..

			- Theresa -

------------------------------

Date: Thu, 18 Apr 1996 12:39 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Parity boot? What should I do? (PC)
X-Digest: Volume 9 : Issue 55

In-Reply-To: <01I3NQQ7OQ0KSKU6UC@csc.canterbury.ac.nz>
Mat Joyce <mjoyce@acjoyce.demon.co.uk> writes:

> I have heard that PARITY BOOT is irremovable from a system
> once on, is this true? 

No.  Whoever told you that was telling porkies.

> Why? 
> Because I have it and NEED to get rid of it.
> 
> Can you help?
> Can anyone tell me how to remove this from my system or where I 
> can get a decent virus killer from.

Download the evaluation version of Dr Solomon's FindVirus from our 
website (or from ftp.drsolomon.com).  Then cold-boot from a clean 
(virus-free), write-protected DOS disk and enter:

FINDVIRU C: /REPAIR

Remember to check your floppy disks as well, as you caught this virus 
from one of them.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 18 Apr 1996 12:39 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
X-Digest: Volume 9 : Issue 55

In-Reply-To: <01I3NQQ7OQ0KSKU6UC@csc.canterbury.ac.nz>
'Mike' M Ramey <mramey@u.washington.edu> writes:

> Iolo, Graham, Dr. Solomon, and development folks at S&S:

Well, Iolo doesn't work for us, but I'm sure he'll be pleased to be 
included. :-)

>   Please print an *explicit* message in the FindVirus output that
> *clearly* indicates the occurrance, cause, and consequences of
> switching into "review" mode.  The word "like" is *not* a
> substitute for a clear explanation of what is going on!

We're working on a new version of the Toolkit and the user interface, 
we'll take your comments on board for that.

But let me answer this question again just so everyone is clear.  Dr 
Solomon's FindVirus normally does much more accurate identification of 
viruses than many other anti-virus products.  It will say something like 
"FORMAT.COM is identified as Arfle.Barfle.Gloop.a virus!!!" where some 
other products would just say "Arfle".  It's because of this high level 
of identification that we can repair so well and we don't suffer from a 
false alarm problem.

Unfortunately this high level of identification means that if you use 
FindVirus against a large number of different viruses that it may be 
slightly slower than other scanners (because it's doing more work).  
FindVirus does not slow down in this way when you are scanning clean 
files (which you will be doing 99.99999% of the time).

If FindVirus detects several different viruses on your computer it 
assumes that this is a review situation that is taking place and it stops 
describing viruses as "Arfle.Barfle.Gloop.a" and calls them "like Arfle" 
instead.  This does NOT affect detection!  The same number of viruses are 
detected, it's just that we're slightly less specific about precisely 
which variant.

If you don't like this you can use the undocumented switch /VID which 
means it will always say "Arfle.Barfle.Gloop.a".  To be honest I cannot 
see why this would be necessary for anyone but other virus researchers 
(people like Vesselin, Virus Bulletin, etc) and ourselves.  This switch 
is of no interest to the usual user (and to be honest they are extremely 
unlikely to be in a situation where they have half a dozen *different* 
viruses on their computer!)

So, detection is not compromised.  Furthermore if you want to clean-up 
the virus infection FindVirus turns exact virus identification on 
(because you need it for clean-up).  So, repair is not compromised either.

> I have sent you messages in the past (and I will send you more soon)
> about the lack of clarity (or inaccuracy) of messages from the FindVirus
> program.

We're always interested in ways of improving FindVirus, please keep them 
coming.  They're appreciated.  As I said, our R&D department are working 
on a new user interface - and messages from FindVirus should come under 
that umbrella.
  
> I do not doubt that your programs are of excellent quality, but
> if the output messages are inaccurate, incomplete, sloppy, or even
> only confusing, ... then it is natural for a new user to conclude
>  that the program will be of similar construction throughout.

In the particular case of the above I don't agree that the message is 
inaccurate, incomplete, sloppy or confusing.  I don't believe that new 
users will even be testing FindVirus against a large number of viruses.  
Anyway, the /VID switch is there if they want it.

> I can imaging that you are putting most of your development effort into
> AVTK for the newer platforms (including Macintosh, I hope!) and that
> FindVirus may be getting less attention, ...

Certainly not.  The virus-finding engine at the core of FindVirus is 
obviously the most important part of the entire Toolkit.  (The Mac 
Toolkit, by the way, is being written by a separate development group and 
very good it's looking too!)
 
> but if FindVirus is your downloadable demonstration & evaluation
> program, then it must be at least as good as your other, more
> flashy, products.

Yep, we think it's pretty good.  And the independent comparative reviews 
seem to bear that out.  We don't include a user interface in the 
downloadable evaluation version just because it would make the download 
far too large for most people.  If any corporates want to evaluate the 
full commercial versions of the Toolkit (including interface and flashy 
VxDs etc) they can give us a call and our sales guys can arrange it.

> Thank you,  --Mike Ramey

Thanks for the feedback Mike, it is appreciated.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 18 Apr 1996 12:39 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Where to get a virus check up grade? (PC)
X-Digest: Volume 9 : Issue 55

In-Reply-To: <01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz>
GenMelchit <genmelchit@aol.com> writes:

> In article <0032.01I3FQNQ0S3KSKU6UC@csc.canterbury.ac.nz>, "Glenn P.
> Siegrist" <teamsieg@snowhill.com> writes:
> 
> >I have a Packard Bell Legend 36CD its a 486/50. It came with Win 3.11 
> on >it I have had it for over a year now and I would like to know is 
> there an
> >upgrade to the Microsoft virus scan program that came with it.
> 
> I was just thinking the same thing, Glenn.  My MS Anti-virus is about 
> two years old (!), and I'm wondering if it's the right thing to use
> for detection. 
> 
> Anybody have an opinion on MS Anti-virus performance?  Something better?

Yisrael Radai wrote a paper a few years ago about the weaknesses and 
security hole in MSAV.  You can find it at 

ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/msaveval.zip

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 18 Apr 1996 12:39 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Help ,welcomb virus (PC)
X-Digest: Volume 9 : Issue 55

In-Reply-To: <01I3NQQ7OQ0KSKU6UC@csc.canterbury.ac.nz>
LEE SENG HUAT <sci30530@leonis.nus.sg>

> Any idea how to clean this memory resident virus???
> I tried using f-prot but got stuck when it scans the 
> memory. A red box appeared and I couln't get into the
> main menu to clean the virus.

You have to cold-boot from a clean (virus-free) DOS system disk.  That 
way the virus won't be in memory and your anti-virus product should be 
able to clean-up with ease.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 18 Apr 1996 12:52 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Good scanner with smallest TSR memory footprint (PC)
X-Digest: Volume 9 : Issue 55

In-Reply-To: <01I3O5HCRZF2SKU6UC@csc.canterbury.ac.nz>
Harald Horgen <73323.2516@compuserve.com> writes:

> Iolo Davidson wrote:
> 
> > In article <0038.01I3EEEWQ4GQSKU6UC@csc.canterbury.ac.nz>
> >            chastaib@stifel.com "Chastain, Brian" writes:
> > 
> > > My main concern, however, is memory overhead.  The NAVTSR occupies 
> > > 30K
> > > of RAM.  I took a look at F-PROT, and their TSR occupies over 40K 
> > > of RAM.
> > >
> > > Since we're a token-ring network, and token-ring drivers are
> > > notoriously large, we can't afford to give up that much memory.
> > >
> > > My question (finally!) is, which scanning program is effective, yet 
> > > has
> > > the smallest TSR footprint?
> > 
> > That would be VirusGuard, from Dr. Solomon's Anti-Virus Toolkit.
> > It has ballooned a bit since the days when I programmed it, but
> > I believe it still fits in less than 10K.  It is probably also
> > the most effective, but there are few independent tests of TSR
> > scanners to be found.
> 
> I think Vi-Spy from RG Software can lay claim to being the best product 
> in this area.  About a year ago the Virus Bulletin did a comparison of 
> most products on the market, and Vi-Spy was the only one that uses the 
> same front-end and TSR scanner.

Having the same detection in a TSR and the command-line does not 
necessarily mean that the TSR is the best available.  After all, the 
command-line version might not be very good! :-)  I can't comment in 
ViSpy's case as I haven't tested it.

However, the University of Tampere have conducted a number of independent 
comparative anti-virus reviews, including tests of anti-virus TSR 
detection.  You can find these reviews at 
http://www.drsolomon.com/avtk/reviews

> The reason is that most programs have 
> become memory hogs, and don't have room to maintain all the sig files.

It's not necessary for an anti-virus TSR to get larger as the number of 
viruses increase.

> I think Vi-Spy is the only product that is written in Assembler, so it 
> has a real advantage in that it's code is nice and efficient.

All together now... "Oh no it's not!!!". :-)  The TSRs (like VirusGuard) 
in Dr Solomon's Anti-Virus Toolkit are certainly written in assembler and 
I would be surprised if any half-decent anti-virus TSRs is written in a 
high level language.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 18 Apr 1996 12:52 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Trabajo_hacer.b Virus (PC)
X-Digest: Volume 9 : Issue 55

>Our network is showing occassional infections of
>"trabajo_hacer.b (MBSR virus) which is the name given by
>Norman Data Defense Systems v.3.50 (espejo by F-PROT).

Here's some information from Dr Solomon's:

Espejo

Alias:  15 years, Esto te pasa

Type:  Memory-resident boot and partition sector virus.

Affects:   Floppy and hard disks.

File Growth:  N/A

Description:
When the virus is memory-resident it infects hard disks and diskettes 
being read (e.g. DIR command).

On 7th of April, or any other date if the virus infected 10 disks since 
the last bootstrap, Espejo triggers and switches to its destructive mode. 
Any disk being accessed after that is overwritten with the following text 
(in Spanish):

"Esto te pasa por programas que a nosotros nos cuesta tanto trabajo 
hacer. Que te quede de Experiencia, Mexico,1994"

The virus also intercepts INT 16 (BIOS Keyboard Services) interrupt. Then 
it occasionally simulates typos by adding 5 to the character code being 
entered from the keyboard. E.g. 'A' changes to 'F', 'B' to 'G' etc.

The virus contains another text string:  "This Virus is from MEXICO, I 
have 15 years old"

Dr Solomon's Anti-Virus Toolkit can detect, intercept, and clean-up this 
virus.  You might like to download the evaluation version of FindVirus 
from our website, or send a blank email to findvirus@info.drsolomon.com 
to receive it in UUEncoded chunks.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 18 Apr 1996 08:54:24 -0400
From: Mike Michalowicz <ici@planet.net>
Subject: Re: Help on DESPERADO A/B required (PC)
X-Digest: Volume 9 : Issue 55

Ake Gustafsson wrote:

> Anyone who knows how to get rid of the virus DESPERADO A/B. There seem
> to be no remover available????

I'm not aware of any remover for Desperado.  It infects COM's and EXE's 
including COMMAND.COM.  The only thing that you can do, that I'm aware 
of, is to boot from a clean floppy and detect the infected files and 
then delete the files.

Best of Luck.
- - 
Mike Michalowicz

Inter-Com, Inc.
469 Route 46 West
Kenvil, NJ  07847
Phone (201)252-1100
Fax   (201)252-9119
Email ici@planet.net

------------------------------

Date: Thu, 18 Apr 1996 11:37:25 +0000 (GMT)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Virus-related FAQs [long]
X-Digest: Volume 9 : Issue 55

			 Virus-related FAQs
			 ------------------

Or where to find out what you want to know about viruses when you're in a
hurry (or a panic!). This resource lists the contents pages of three FAQs
and some ways to get hold of them. 

* The alt.comp.virus FAQ
* The comp.virus/Virus-L FAQ
* The macro-virus FAQ
* The alt.comp.virus mini-FAQ will be included when it's ready.

I may expand this list to include other security FAQs, but this is a 
low-priority project. Please notify me of any errors by e-mail. 
Suggestions for other FAQs are welcome, but will be acted upon sooner
if someone else actually gathers the information. ;-)

David Harley
harley@icrf.icnet.uk

- -----------------------------------------

1) The alt.comp.virus FAQ [version 1.01e]
   ----------------------

The latest version of the alt.comp.virus FAQ document, maintained by
David Harley, is available as follows:

(i)     It's posted to alt.comp.virus every two weeks or so.

(ii)    ftp://ftp.icnet.uk/icrf-public/acv.FAQ

(iii)   e-mail to:

	harley@icrf.icnet.uk

	Subject: request a.c.v. FAQ
	Message: Optional, but unlikely to be read!

(iv)
	FTP://ftp.gate.net/pub/users/ris1/acvfaq.zip
	http://www.drsolomon.com/
	http://www.innet.net/~ewillems/
	http://www.agora.stm.it/N.Ferri/infos.htm

(v)     America Online: (Virus Information Center: Keyword VIRUS)

It's currently split into 4 sections and contains the following items.

Part 1
- -----

	(1)     I have a virus - what do I do?
	(2)     Minimal glossary
	(3)     What is a virus (Trojan, Worm)? 
	(4)     How do viruses work?
	(5)     How do viruses spread?
	(6)     How can I avoid infection?
	(7)     How does antivirus software work? 

Part 2
- -----

	(8)     What's the best anti-virus software 
			(and where do I get it)?
	(9)     Where can I get further information?
	(10)    Does anyone know about 
		* Mac viruses?
		* UNIX viruses?
		* macro viruses?
		* the AOLGold virus?
		* the xyz PC virus?
	(11)    Is it true that...?
	(12)    Favourite myths
		* DOS file attributes protect executable files from
		  infection
		* I'm safe from viruses because I don't use bulletin
		  boards/shareware/Public Domain software
		* FDISK /MBR fixes boot sector viruses
		* Write-protecting suspect floppies stops infection
		* The write-protect tab always stops a disk write
		* I can infect my system by running DIR on an infected
		  disk
Part 3
- -----

	(13) What are the legal implications of computer viruses?

Part 4
- -----

	(14)    Miscellaneous

	Are there anti-virus packages which check zipped files?
	What's the genb/genp virus?
	Where do I get VCL and an assembler, & what's the password?
	Send me a virus.
	Is it viruses, virii or what?
	Where is alt.comp.virus archived?
	What about firewalls?
	Viruses on CD-ROM.
	Removing viruses.
	Can't viruses sometimes be useful?
	Do I have a virus, and how do I know?
	What should be on a (clean) boot disk?
	How do I know I have a clean boot disk?
	What other tools might I need?
	What are rescue disks?
	Are there CMOS viruses?
	How do I know I'm FTP-ing 'good' software?
	What is 386SPART.PAR?
	Can I get a virus to test my antivirus package with?
	When I do DIR | MORE I see a couple of files with funny names...
	Reasons NOT to use FDISK /MBR
	Why do people write/distribute viruses?
	Where can I get an anti-virus policy?
	Placeholders

- --------------------------------------------------------------------

2) The VIRUS-L/comp.virus FAQ [vs. 2.00]
   --------------------------

You can get the Mk. 2 version of the VIRUS-L FAQ, maintained by Nick
FitzGerald, at

	ftp://ftp.datafellows.com/pub/misc/anti-vir/vlfaq200.zip
	ftp://cs.ucr.edu/pub/virus-l/
	http://www.drsolomon.com/

This document is subject to revision, so the filename may change accordingly
in due course.

Version 2.00 contains the following sections/items.

[Items marked with an asterisk are also in the version 1 document, which 
continues to be posted on a monthly basis to the newsgroup, but the 
numbering  doesn't always correspond between the two versions. The Mk. 2
version is generally more detailed than the Mk. 1. However, the Mk. 1 may
sometimes be easier to get hold of in a hurry]

Section A:   Sources of Information and Antivirus Software
	     (Where can I find HELP?!!)

*A1)  What is Virus-L/comp.virus?
*A2)  What is the difference between Virus-L and comp.virus?
*A3)  How do I get onto or off Virus-L/comp.virus?
*A4)  What are the guidelines for Virus-L?
*A5)  How can I get back-issues of Virus-L?
*A6)  What are the known viruses, their names, major symptoms and
      possible cures?
*A7)  Where can I get free or shareware antivirus programs?
*A8)  Where can I get more information on viruses, etc?
A9)   Why is so much of the discussion in Virus-L/comp.virus about PCs
      and DOS?  Is this forum only for the PC world?


Section B:   Definitions
	     (What is ...?)

*B1)  What are computer viruses (and why should I worry about them)?
 B2)  What is a Worm?
*B3)  What is a Trojan Horse?
*B4)  What are the main types of PC viruses?
*B5)  What is a stealth virus?
*B6)  What is a polymorphic virus?
*B7)  What are "fast" and "slow" infectors?
*B8)  What is a sparse infector?
*B9)  What is a companion virus?
*B10) What is an armored virus?
 B11) What is a cavity virus?
 B12) What is a tunnelling virus?
 B13) What is a dropper?
 B14) What is an ANSI bomb?
*B15) Miscellaneous Jargon and Abbreviations


Section C:   Virus Detection
	     (Is my computer infected?  What do I do?)

*C1)  What are the symptoms and indications of a virus infection?
*C2)  What steps should be taken in diagnosing and identifying viruses?
*C3)  What is the best way to remove a virus?
*C4)  What does the <insert name here> virus do?
*C5)  What are "false positives" and "false negatives"?
*C6)  Can an antivirus program itself be infected?
*C7)  Where can I get a virus scanner for my Unix system?
*C8)  Why does my scanner report an infection only sometimes?
*C9)  I think I have detected a new virus; what do I do?
*C10) CHKDSK reports 639K (or less) total memory on my system; am I
      infected?
*C11) I have an infinite loop of sub-directories on my hard drive; am I
     infected?
 C12) Can a PC not running DOS be infected with a common DOS virus?
 C13) My hard-disk's file system has been garbled:  Do I have a virus?


Section D:   Protection Plans
	     (What should I do to prepare against viruses?)

 D1)  What is the best antivirus program?
*D2)  Is it possible to protect a computer system with only software?
*D3)  Is it possible to write-protect the hard disk with software only?
*D4)  What can be done with hardware protection?
*D5)  Does setting a file's attributes to READ ONLY protect it from
      viruses?
*D6)  Do password/access control systems protect my files from viruses?
*D7)  Do the protection systems in DR DOS work against viruses?
*D8)  Does a write-protect tab on a floppy disk stop viruses?
*D9)  Do local area networks (LANs) help to stop viruses or do they
     facilitate their spread?
*D10) What is the proper way to make backups?


Section E:   Facts and Fibs About Computer Viruses
	     (Can a virus...?)

*E1)  Can boot sector viruses infect non-bootable DOS floppy disks?
*E2)  Can a virus hide in a PC's CMOS memory?
*E3)  Can a PC virus hide in Extended or in Expanded RAM in a PC?
*E4)  Can a virus hide in a PC's Upper Memory or its High Memory Area?
*E5)  Can a virus infect data files?
*E6)  Can viruses spread from one type of computer to another?
*E7)  Are mainframe computers susceptible to computer viruses?
*E8)  Some people say that disinfecting files is a bad idea.  Is that
      true?
*E9)  Can I avoid viruses by avoiding shareware, free software or games?
*E10) Can I contract a virus on my PC by performing a "DIR" of an
      infected floppy disk?
*E11) Is there any risk in copying data files from an infected floppy
      disk to a clean PC's hard disk?
*E12) Can a DOS virus survive and spread on an OS/2 system using the
      HPFS file system?
*E13) Under OS/2 2.0+, could a virus infected DOS session infect another
      DOS session?
*E14) Can normal DOS viruses work under MS Windows?
 E15) Can I get a virus from reading e-mail, BBS message forums or
      USENET News?
 E16) Can a virus "hide" in a GIF or JPEG file?


Section F:   Miscellaneous Questions
	     (I have heard...  I was just wondering...)

*F1)  How many viruses are there?
*F2)  How do viruses spread so quickly?
*F3)  What is the correct plural of "virus"?  "Viruses" or "viri" or
     "virii" or "vira" or...
*F4)  When reporting a virus infection (and looking for assistance), what
      information should be included?
*F5)  How often should we upgrade our antivirus tools to minimize
      software and labor costs and maximize our protection?
 F6)  What are "virus simulators" and what use are they?
 F7)  I've heard talk of "good viruses".  Is it really possible to use a
      computer virus for something useful?
 F8)  Wouldn't adding self-checking code to your programs be a good idea?


Section G:   Specific Virus and Antivirus Software Questions...

*G1)  I was infected by the Jerusalem virus and disinfected the infected
      files with my favorite antivirus program.  However, WordPerfect
      and some other programs still refuse to work.  Why?
*G2)  Is my disk infected with the Stoned virus?
*G3)  I was told that the Stoned virus displays the text "Your PC is now
      Stoned" at boot time.  I have been infected by this virus several
      times, but have never seen the message.  Why?
*G4)  I was infected by both Stoned and Michelangelo.  Why has my
      computer become unbootable?  And why, each time I run my favorite
      scanner, does it find one of the viruses and say that it is
      removed, but when I run it again, it says that the virus is still
      there?
*G5)  My scanner finds the Filler and/or Israeli Boot virus in memory,
      but after I boot from a clean floppy it reports no viruses.  Am I
     infected?
G6)  I was infected with Flip and now a large part of my hard disk
     seems to have disappeared.  What has happened?
G7)  What does the GenB and/or the GenP virus do?
G8)  How do I "boot from a clean floppy"?
G9)  My PC diagnostic utility lists "Cascade" amongst the hardware
     interrupts (IRQs).  Does this mean I have the Cascade virus?
G10) Occasionally the text "welcome datacomp" appears in my Mac
     documents without me typing it.  Is this a virus?
G11) How good are the antivirus tools included with MS-DOS 6?
G12) When I do a "DIR | MORE", I see two files with random names that
     are not there when I just use "DIR".  On my friends's system they
     cannot be seen.  Do I have a virus?
G13) What is the ChipAway virus?  (Or ChipAwayVirus?)

- --------------------------------------------------------------------

(6)     Macro-virus FAQ [version 2.0]
	---------------

Richard Martin maintains an FAQ on macro viruses. It is frequently 
posted to alt.comp.virus, and also available from:

	ftp.gate.net/pub/users/ris1/word.faq
	http://learn.senecac.on.ca/~jeashe/hsdemonz.htm

	E-mail to Bd326@TorFree.Net
		Subject: "PLEASE SEND FAQ"
	*OR*    
		Subject: "ADD TO MAIL LIST"
	*OR*
		Subject: "REMOVE FROM FAQ MAIL LIST"

	VIRUS WATCH BBS         (416)654-3814
	

The Word macro FAQ contains the following.

TOPICS/QUESTIONS:

       Preface: INTRODUCTION
       =====================

       1)  WHAT IS A MACRO?  WHAT IS A WORD MACRO?
	       1.1>    WHAT IS A VIRUS?
	       1.2>    WHAT IS A MS WORD MACRO VIRUS?
       2)  HOW DOES INFECTION OCCUR?
       3)  KNOWN FEATURES AND LIMITATIONS OF THE WINWORD FAMILY OF VIRUSES
       4)  VIRUS EXAMPLES
	       - 4.1 - CONCEPT
	       - 4.2 - NUCLEAR
	       - 4.3 - COLORS
	       - 4.4 - DMV
	       - 4.5 - HOT * NEW *
	       - 4.6 - MS WORD 2/MS WORD 6.x MACRO TROJAN WEIDEROFFEN * NEW*
	       - 4.7 - AMI PRO 3.0 MACRO VIRUS GREEN STRIPE  * NEW *
	       - 4.8 - WORDMACRO ATOM / ATOMIC * NEW *
	       - 4.9 - FORMATC MACRO TROJAN * NEW *
       5)  STRATEGY FOR CLEANING AND PREVENTING WORD MACRO INFECTIONS
       6)  SUGGESTED SOFTWARE:
	       -PRODUCTS THAT CAN DETECT/CLEAN WINWORD VIRUSES INFECTIONS
		IN DOCUMENTS
       7)  CREDITS & THANKS
       8)  DISTRIBUTION INFORMATION
       9)  WHERE CAN I OBTAIN UPDATED COPIES OF THIS FAQ?
       10) QUESTIONS THAT STILL NEED TO BE ANSWERED...
       11) DISCLAIMER

- --------------------------------------------------~

alt.comp.virus mini-FAQ - still under construction.

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 55]
*****************************************


